Stopping Macbooks seeing Windows Shares on network

[sparky2020]

Hi All.
I have been running windows networks for the past many years. Server 2012 with lots of windows machines. the school decided to buy 30 macbooks. have them running with profile manager on macserver with AD on server2012 for login authentication. mapped drives, homefolders and everything working fine so far, JUST ONE BIG problem. macbooks can see all the windows machines on the network and the associated shares in the finder. I managed to get a script that hides them, until you click show. Is there anyway i can hise them permanently? or something i can use on the profile manager on macserver to do this.
the current script I am testing is below. but when it runs it works but the pop up shows on the desktop of the mac, which i dont want to happen. running this script silently would help.
any help would be greatly appreciated.
I am not too clever with scripting on macs but will always give it a bash.

defaults write com.apple.sidebarlists networkbrowser -dict-add CustomListProperties
"<dict><key>com.apple.NetworkBrowser.backToMyMacEnabled</key><false/>
<key>com.apple.NetworkBrowser.bonjourEnabled</key><false/>
<key>com.apple.NetworkBrowser.connectedEnabled</key><false/>
</dict>"

defaults write com.apple.sidebarlists systemitems -dict-add ShowServers -bool NO
defaults write com.apple.sidebarlists favorites -dict-add ShowServers -bool NO
defaults write com.apple.finder SidebarSharedSectionDisclosedState -bool NO

killall Finder

 

[DJLC]

So — your script is manually altering preferences. What may work better for you is creating a custom profile in Profile Manager that alters those preferences instead. In Windows parlance — you're deploying a batch script when you should be deploying a GPO.

I don't use Profile Manager anymore personally, but experimenting with the "Custom Preferences" feature should get you where you need to go. IIRC, you'll create the profile, then add the preference domains you want to modify (the "com.apple.xxx" parts from your script), and finally the value those preference domains should contain (boolean no, etc.).

Doing it that way locks the user out from modifying those preferences similar to the way a GPO works in Windows — so theoretically, the "Show" button would do nothing b/c the profile overrides it.

 

[sparky2020]

Hi. Thanks for your reply.
I will try to create a custom profile on monday when i get back into work.
I already Have a profile for the 30 devices, and all the devices are in that group. i will look into that
profile and see if i can modify it.
The script I have shown above is just one that i have been testing on a spare macbook, not one connected to the
profile manager.
I use GPM on the server 2012 to push policies out only to windows machines, The server has all the macbooks in an
OU. But I dont use it to push out anything to the macbooks. The server 2012 only authenticates the logons for the staff and pupils.
The profile manager manager on the mac server manages the settings for the macbook. I am looking at locking down
the macbooks from the profile manager. Thats why I am a little stuck.
I will update this thread on monday after i give it a bash.
thanks

 

[satcomer]

Just make different subnets!